Re: [TLS] Twist security for brainpoolp256r1

Oleg Gryb <> Tue, 11 November 2014 22:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 468F61A1B5B for <>; Tue, 11 Nov 2014 14:45:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.406
X-Spam-Status: No, score=0.406 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NhRZ1LhW4vtE for <>; Tue, 11 Nov 2014 14:45:04 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E66801A1B56 for <>; Tue, 11 Nov 2014 14:45:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1415745903; bh=mcAjsLsn5oGu6jiiNp9rmgc5mNGxHjjNE1hEbzbhviY=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=i7vUn5EmiqNHbbd/STCHXEshKTv9nmEDTeQo+GJ8nN+xMVq/3HpZbyoqV0FIljtLQ2O6YI0XXZag+r0k//K1ndBeY7uw6ThngAofTASkwh5clKv6Xqs/9dNIgaXFIxPu9HWj2txJSZTVKhgEf6XfORjY9S35gAnLT4aVl+yhPToStXvKttzTj7fv+HfKU0wwHybJStvVhEoTBzlex0jzHALPb7EiYsWE3jZf6nvHXkae5YVE2qdfdVUbHDF46hOjoFYDwoZiDXejgsHs4rVvUU2xuNR70MxFldk1a/N9hzmJ71ES2VQthtWFIDXTPwbbecW9KwMDmnXZXAwKiy6L8w==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048;; b=ny0cIHi45otuNHnlzgtikYNooI3I8EjMh2fOfe7vP1NH4kdtDW4nw0rdsXEs98uhljRn4/EbRjn5QPfIj9wdsIGxTrWf74tenlcg/DpY4MU4zqoH+d5sjUOj4ZJdF6s/T4w/LUfyPLE7TTAnW3Gm6fGXEoYFmWHe4i1R7ci2bk33nELz/q0rhnxg8khl10T4ATT3XG7LvTQ0MyMYWqR2Vu9M3C5VWkQo7Itf4Wt2CdfvK0pbXm3uToWlEwCkK6JU/q0nIRSrB76+YflWm0J6envQlpiFKYrIHjPRRsLH4ByJICxfWuxxQrIjeSYJl/f1LPUqdq0QsM74RJXoClK09g==;
Received: from [] by with NNFMP; 11 Nov 2014 22:45:03 -0000
Received: from [] by with NNFMP; 11 Nov 2014 22:45:03 -0000
Received: from [] by with NNFMP; 11 Nov 2014 22:45:02 -0000
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: gdtQyuIVM1lOGifHzVgcoYoiCNOX7Yxijh5a8pdn.qY6skOm38BfC6yeu_evPW. eNvbHTLzEA.bZf47cpsR0iQy9dUJfL5VW4GuktnAu3DyShzEmRz8F3Ly2FAF0ztsa_CueMwA.QQt MlKLK0hg6THLDZXEQorX7VjExH6dHFDRMcXnyL.dYqCetNjGznga5LKlENjHI.CIzoMfLUEIcCES VXaYE5dsl4IfwGPYsdmldo6t9MxMu8bjNblV0INeSj8uiAz8YcJrknpmucVO26lO0YjxqOACdECZ RZEFMJMXIbHowPQchPCU_lWONvfqoCtmmyd1hCC9YBz9AN4bEyv2v8OJv4aZcox0UsdDmz8QbBnQ aPANio9hZLM6wyfImAftxaq3GAcFA7xvXRjEqgi3APilPTEKt43o88o4MDN0hPu7C8WxHZDgsAum oF784hlBnH9hRWxXX6dyekfC.jxcZm926iNmDnDF353GjEuDwOhPlxSJ94J3RweYKzTTQ
Received: by; Tue, 11 Nov 2014 22:45:02 +0000
Date: Tue, 11 Nov 2014 22:44:03 +0000
From: Oleg Gryb <>
To: Manuel Pégourié-Gonnard <>, Oleg Gryb <>, Johannes Merkle <>, "" <>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Twist security for brainpoolp256r1
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Oleg Gryb <>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Nov 2014 22:45:05 -0000

> It's the cost of an attack for an attacker who can force you to accept a 

> point
> that is not on the curve but on its non-quadratic twist.
> In the context of TLS (with the currently available curves and point formats)
> what safecurves calls "twist security" is totally irrelevant: either 
> the
> implementation validates that points are on the curve, or you're vulnerable 
> to
> an invalid curve attack which is much more powerful than a twist attack.
> Any decent implementation (which includes OpenSSL and some others) of ECC with
> TLS will check that points belong on the intended curve.

It answers my question, thanks.

>>  The last question that I have is related to brainpool curves 
> implementations in openssl.
> This question is more suited to the OpenSSL list, as it is specific to this
> implementation. This list is about the protocol.

What about EC arithmetic optimization specific to a curve? Is it a kind of qs that is appropriate for this forum? If it is, probably somebody can provide pointers about optimizations that have been already implemented for the curve in the subject. I think, efficiency should be an important consideration of this protocol.